from the the-lizard-wrangler-speaks dept

Techdirt has been covering India's monster biometric database, Aadhaar, since 2015. Media in India, naturally, have been on the story longer, and continue to provide detailed coverage of its roll-out and application. But wider knowledge of the trailblazing identity project remains limited. One international organization that has been working to raise awareness is Mozilla, home of the Firefox browser and Thunderbird email client.

The current proposal exempts biometric info from the definition of sensitive personal information that must be especially protected. This is backwards, biometric info is some of the most personal info, and can’t be "reset" like a password.

The design of Aadhaar fails to provide meaningful consent to users. This is seen, for example, by the ever increasing number of public and private services that are linked to Aadhaar without users being given a meaningful choice in the matter. This can and should be remedied by stronger consent, data minimization, collection limitation, and purpose limitation obligations.

Instead of crafting narrow exemptions for the legitimate needs of law enforcement, you propose to exempt entire agencies from accountability and legal restrictions on how user data may be accessed and processed.

Your report also casts doubt on whether individuals should be allowed a right to object over how their data is processed; this is a core pillar of data protection, without a right to object, consent is not meaningful and individual liberty is curtailed.

On a Web page called "Key challenges and the way forward", Mozilla calls on the Indian government to "pause further roll out of Aadhaar until the major problems with Aadhaar have been addressed." It also has a further suggestion:

The Indian government must release Aadhaar as true open source software rather than use language of open source, and encourage the use, development, and adoption of open source as a pillar of the Aadhaar system

Of course, you might expect an open source foundation like Mozilla to say that, but nonetheless it's good to see what is at heart a software organization engaging with global problems that affect huge numbers of people in this way. Others should do the same.

from the copywrong dept

We should all know by now that Facebook's reliability to handle copyright takedown requests is... not great. Like far too many internet platforms these days, the site typically puts its thumbs heavily on the scales such that the everyday user gets far less preference than large purported rights holders. I say "purported" because, of course, many bogus takedown requests get issued all the time. It's one of the reasons that relying on these platforms, when they have shown no willingness to have any sort of spine on copyright matters, is such a mistake.

But few cases are as egregious as that of Leo Saldanha, a well-known environmental activist in India. When I tell you that Saldanha had a Facebook post taken down over a copyright notice, you must certainly be thinking that it had something to do with environmental activism. Nope! Actually, Saldanha wrote an all-text mini-review of an Indian film, Padmaavat, which was taken down after the distributor for the film claimed the post infringed on its copyrights. Here is the entirety of his post that was taken down.

“In my view, #padmaavat is a bore fest. Halfway the movie was coming to an end, I felt. But then woke up to the cruel fact there still was the other half, and it involved the horribly cruel act of mass suicide. There is something horribly wrong about a film, when a man’s voice reasserts, that this gory act was to protect ‘Bharat’s swabhimaan, or something to that effect.”

“The whole movie has one plot: of owning a woman. And all the characters conspire to subordinate women. True, this is a mythological account of times far in the past. But that one statement after the movie emphasises horrendous social mores of a medieval time and contextualises it as relevant to our times. Movies like these aren’t made with innocent intentions. Ranveer Singh is an incredible actor!”

Seriously, that text is the entire post. And I have to say that it's quite tame as far as movie reviews go, not to mention fairly relevant from a movie critique standpoint. This wasn't someone dumping on the movie for fun. Saldanha had a well thought out point, no matter of whether anyone might agree with the content of his argument. Certainly nothing in that is copyright infringement by any measure.

Yet Viacom 18 issued the takedown request and Facebook complied. Not only did it comply, in fact, but when Saldanha pushed back on Facebook trying to figure out what the hell was going on here, the only reply from the site was to warn of a perma-ban for repeated infringement and a recommendation to get Viacom 18's permission to post his review. Saldanha, to put it lightly, was not pleased with this response.

Speaking to TNM, Saldanha says that he is deeply offended by the messages he received from Facebook and the allegation that he had violated anyone’s rights on any social media platform.

“Anyone should be free to express in any form, their views about public matters. This includes the right to agree, disagree and the right to dissent. I also maintain that I have never used threatening language while offering my opinion on any issue that is public, or of any public person. The fact that Facebook pulled down my post is a serious issue. This only shows that Facebook leans towards those with financial muscle. Viacom18 clearly does not want critical views for the movie,” Saldanha says.

There are all sorts of ways this could have happened -- but none of them make either Viacom 18 or Facebook look good. The most immediate theory would be Viacom 18 abusing copyright law to take down a negative review -- and Facebook assisting without a good reason. A more charitable (though still terrible) explanation would chalk it up to (once again) horrible automated systems flagging anything mentioning Padmaavat and falsely assuming it's infringing. And, again, Facebook assisted this without good reason. No matter what it's yet another example in our increasingly long list of cases where copyright is used for censorship.

from the wrong-target dept

For many years now, we've been among those raising concerns about India's giant identity database known as Aadhaar. A few weeks ago, we wrote that there appeared to be a fairly massive breach of data from that database, and that the information was now available on the dark web for cheap.

This is obviously quite concerning and you'd hope that various Indian government agencies would launch an appropriate investigation. And... it appears at least one investigation has been launched. But, not into the leak. Instead, it's allegedly into the reporter who exposed the leak:

A branch of the Indian government filed a police complaint last week launching an investigation into journalist Rachna Kaira and the Tribune of India, after the publication released a report describing what looks to be a massive vulnerability in a government database that is being exploited by an unknown group to sell highly sensitive and private data about Indian citizens.

The details on the "police complaint" remain sparse, so perhaps it's not a huge deal -- but any attempt to investigate and/or intimidate (and those can be one and the same in some cases) a reporter for merely exposing a fairly big possible data breach that could effect over a billion people at least suggests an interest in covering up the breach, rather than in understanding the breach and preventing further damage.

It took just Rs 500 [about $8], paid through Paytm [an Indian online payment system], and 10 minutes in which an "agent" of the group running the racket created a "gateway" for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300 [$4.75], for which the agent provided "software" that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news, and led to some breathless damage limitation by the Indian authorities on Twitter. The UIDAI explained that: "Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details"; and: "There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometric". Although it may be true that this is not a biometric data breach, it nonetheless reveals a serious vulnerability in the system's design, and on a vast scale. According to the original article in The Tribune, more than 100,000 "village-level enterprise operators", hired to help with Aadhaar enrollment, have been offering this kind of unauthorized access to the database. In fact, the problem seems to be even more serious than simply providing login credentials to thousands of people. Here's what another Indian site discovered:

Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that's not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters -- the Aadhaar database won't ask.

Even if biometric data is not involved, it's hard to see how UIDAI could claim that these aren't breaches of the database, or deny that the entire Aadhaar system is seriously compromised. It's almost inevitable that the security of an important database system will be defeated eventually in some way, since the rewards are by definition so high. The fundamental problem with Aadhaar is its underlying intent -- to create a single, giant database with key personal information about a billion people that can be accessed very frequently and very widely. That's never going to be safe, as the inevitable future breaches will confirm.

from the what-listening-to-the-public-looks-like dept

While the United States is busy giving the world a crash course on what telecom regulatory capture looks like, India is taking a decidedly different tack with net neutrality. Last year, the Telecom Regulatory Authority of India (TRAI) began laying the groundwork for some real, tough net neutrality rules aimed at protecting their internet markets and consumers from anti-competitive ISP behavior. Here in the States, our soon-to-be-discarded rules left some fairly gaping loopholes governing "zero rating," which allows ISPs to impose often arbitrary and unnecessary usage caps, then exempt their own content while hindering competitors.

But when the TRAI released its net neutrality guidelines (pdf) late last month, they made it clear that the rules would not only protect against throttling, blocking, or other ham-fisted anti-competitive behavior, but would also be putting the kibosh on zero rating. In previous statements, TRAI had made it abundantly clear that ISPs consistently use artificial scarcity and usage caps to engage in anti-competitive shenanigans via this practice (a realization the FCC in the United States only made after it was too late):

"...differential tariffs result in classification of subscribers based on the content they want to access (those who want to access non-participating content will be charged at a higher rate than those who want to access participating content). This may potentially go against the principle of non-discriminatory tariff. Secondly, differential tariffs arguably disadvantage small content providers who may not be able to participate in such schemes. This may thus, create entry barriers and non-level playing field for these players stifling innovation. In addition, ISPs may start promoting their own websites/apps/service platforms by giving lower rates for accessing them."

Indian consumers received a crash course on the downside of zero rating thanks to Facebook and its "Free Basics" program. Under the initial version of Free Basics, users obtained free access to a walled garden version of the internet, filled with Facebook-curated content. And while Facebook repeatedly tried to claim it was simply really concerned about helping poor Indian farmers, critics began to notice that Facebook was really just trying to corner the ad market. They also began to realize that letting the social media giant determine winners and losers online wasn't a particularly smart idea.

Facebook boss Mark Zuckerberg responded indignantly to these charges, arguing that those that didn't like Facebook's plan to AOL-ify the internet in India were simply enemies of the poor. But critics like the EFF persisted, noting that Facebook's approval process not only banned sites that used encryption, but was even opposed by many content partners. Outfits like Mozilla, meanwhile, argued that if Facebook was so concerned with connecting the poor, why not pay to connect them to the actual internet and avoid any controversy?

"The debate ... that this ruling was about was essentially the same one that’s taking place in the US, about whether certain sites should be available at faster speeds,” said Nikhil Pahwa, a digital rights activist who's been a leader in India's fight for net neutrality. “And the Indian regulators essentially ruled that there needs to be non-discriminating practices by [internet service providers], where they don’t give preferential treatment to one side or the other."

“Net neutrality ensures that there’s free and fair competition on the internet, instead of a situation without net neutrality where the [internet service providers] pick winners,” Pahwa said, adding that “India’s been at the forefront of this battle."

This is all of course the polar opposite of what's now occurring in the States, where FCC boss Ajit Pai is preparing to obliterate what were already quite modest protections by international (Japan, Canada, India, The Netherlands) standards. And, much like the record 20+ million consumers that oppose Pai's plan, Indian Americans are equally flummoxed by FCC boss Ajit Pai's grotesque handout to what's potentially the least-popular industry in America.

from the constitutional-core-of-human-dignity dept

In a move that will have major implications for the online world in India and beyond, nine Supreme Court judges have ruled unanimously that privacy is a fundamental right under the Indian Constitution. As part of a decision spanning 547 pages (pdf) they declared:

Privacy is the constitutional core of human dignity.

The case was brought as a result of a legal challenge to India's huge biometric database, Aadhaar, whose rise Techdirt has been charting for some years. A post on the EFF Web site explains the legal background, and why the Supreme Court decision was necessary:

The right to privacy in India has developed through a series of decisions over the past 60 years. Over the years, inconsistency from two early judgments created a divergence of opinion on whether the right to privacy is a fundamental right. Last week's judgment reconciles those different interpretations to unequivocally declare that it is. Moreover, constitutional provisions must be read and interpreted in a manner which would enhance their conformity with international human rights instruments ratified by India. The judgment also concludes that privacy is a necessary condition for the meaningful exercise of other guaranteed freedoms.

Now that a solid constitutional foundation for privacy in India has been affirmed, other judges will proceed with examining the legality of Aadhaar in the light of the many relevant points made in the ruling:

The Aadhaar hearings, which were cut short, are expected to resume under a smaller three- or five-judge bench later this month. Outside of the pending Aadhaar challenge, the ruling can also form the basis of new legal challenges to the architecture and implementation of Aadhaar. For example, with growing evidence that state governments are already using Aadhaar to build databases to profile citizens, the security of data and limitations on data convergence and profiling may be areas for future privacy-related challenges to Aadhaar.

A case challenging WhatsApp's new privacy policy that allows content sharing with Facebook is also certain to be affected by the ruling, but the ramifications go far beyond Aadhaar and the digital world. As an analysis in the Economic Times notes, the judgment could lead to the decriminalization of homosexuality in India, as well as affecting laws that restrict a person's right to convert to a different religion, and state-level rules that impose restrictions on animal slaughter. The breadth of those possible impacts underlines just how epoch-making last week's decision is likely to prove.

from the street-sweeper-for-justice dept

How many innocents would you accept being caught up in an action designed to nab criminals? How many good people is it acceptable to throw into jail alongside the truly bad actors? Most people would agree that any action that penalizes the innocent in order to punish the guilty is a bad course, with only truly minimal amounts of collateral damage being acceptable. Now let's port that over to internet sites and ask how many innocent websites is it acceptable to block in order to block sites that are actually engaged in undesirable behavior?

Well, for the legal system in India, that question has often been answered in a cavalier manner, with regular court orders to block innocent websites being doled out to battle both terrorism and at the request of copyright holders to stop infringement. It's in the latter cases where things get really silly, with previous orders issued to block sites like GitHub and the Internet Archive. Well, it seems the Internet Archive endured this sort of thing again recently, as a court order at the request of two Bollywood film studios caught archive.org into its ISP blocking web.

Earlier this week (and again for no apparent reason), the world renowned Internet Archive was rendered inaccessible to millions of users in India. The platform, which is considered by many to be one of the Internet’s most valued resources, hosts more than 15 petabytes of data, a figure which grows on a daily basis. Yet despite numerous requests for information, none was forthcoming from authorities. Quoted by local news outlet Medianama, Chris Butler, Office Manager at the Internet Archive, said that their attempts to contact the Indian Department of Telecom (DoT) and the Ministry of Electronics and Information Technology (Meity) had proven fruitless.

Now, however, the mystery has been solved. The BBC says a local government agency provided a copy of a court order obtained by two Bollywood production companies who are attempting to slow down piracy of their films in India. Issued by a local judge, the sweeping order compels local ISPs to block access to 2,650 mainly file-sharing websites, including The Pirate Bay, RARBG, the revived KickassTorrents, and hundreds of other ‘usual suspects’. However, it also includes the URL for the Internet Archive, hence the problems with accessibility this week.

Let's be clear about what this sort of thing represents: the punishment of the innocent in favor of an easy and lazy attempt to block copyright infringement. That's not an overstatement. The continued use of court orders to block entire websites and the routine collateral damage are not exceptions, they are the rule. That they are allowed to continue to do this sort of damage even while the Indian government hand-waves away frantic requests for information from innocent site operators is as good a definition of whatever the opposite of justice is as I can think of.

Importantly, neither the court that issued the order or the two film companies requesting it, and ostensibly providing the list of sites to be blocked, are due any recompense for these actions. Perhaps most frustrating, the Internet Archive has clearly stated that not only does it have a method for copyright holders to request content takedowns, but it complied with those requests from these very same film studios.

“Is the Court aware of and did it consider the fact that the Internet Archive has a well-established and standard procedure for rights holders to submit take down requests and processes them expeditiously?” the platform said. “We find several instances of take down requests submitted for one of the plaintiffs, Red Chillies Entertainments, throughout the past year, each of which were processed and responded to promptly. After a preliminary review, we find no instance of our having been contacted by anyone at all about these films. Is there a specific claim that someone posted these films to archive.org? If so, we’d be eager to address it directly with the claimant.”

Now, archive.org was not the only innocent site blocked by this order. Weebly.com, along with at least one news site and the site for a French ISP also had their sites blocked. Still, this damage appears to be mostly met with indifferent shrugs by the Indian government and the film studios that issued this request.

So, for India, we have an answer to the question of how many innocent sites it's willing to harm to combat copyright infringement. That answer, by our litmus test, is "too many."

from the good-luck-with-that dept

The global war against privacy tools, VPNs and encryption continues utterly-unhinged from common sense, and the assault on consumer privacy remains a notably global affair. Reddit users recently noticed that India's fifth largest ISP, YOU Broadband, is among several of the country's ISPs that have been trying to prevent customers from using meaningful encryption. According to the company's updated terms of service, as a customer of the ISP you're supposed to avoid using encryption to allow for easier monitoring of your online behavior:

"The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer."

Of course enforcement of such a requirement is largely impossible. But You Broadband isn't just being randomly obtuse, and while the ISP's TOS is making headlines, this effort isn't really new. Most Indian ISPs are simply adhering to a misguided (and still not adequately updated) set of 2007 guidelines imposed by India's Department of Telecommunications (word doc) demanding that ISPs try and prevent their subscribers from using any encryption with greater than a 40 bit key length if they want to do business in India:

"The Licensee shall ensure that Bulk Encryption is not deployed by ISPs connecting to Landing Station. Further, Individuals/Groups/Organizations are permitted to use encryption upto 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without having to obtain permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall do so with the prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor."

Which is and of itself is rather hysterical, given that since 1996 or so, most folks have considered a 40 bit key length to be the security equivalent of wet tissue paper. In fact, Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours way back in 1997, saying this at the time:

"This is the final proof of what we’ve known for years: 40-bit encryption technology is obsolete."

I've yet to see any ISP successfully enforce this ridiculous governmental restriction (if you're in India and you have, let us know in the comment section precisely how). But it's still part of an over-arching mindset that sees standard, intelligent privacy and security practices as an enemy that must be thwarted. Usually either to expand government surveillance, prop up idiot ham-fisted internet filters (as we're seeing in Russia, China and India), or to erode consumer rights in the face of what are endless attempts to monetize your online behavior.

from the bankrupt-ideas dept

Last December, we wrote about China reaching a rather questionable milestone: filing one million patents in a single year. As Techdirt has pointed out repeatedly, more patents do not equate to more innovation, so simply filing huge numbers of patents means very little in itself. The government of India has just found this out the hard way. As The Hindu reports, CSIR-Tech, the commercialization arm of India's Council of Scientific and Industrial Research (CSIR), has had to shut down its operations. The reason? It's run out of money as a result of filing too many patents:

CSIR has filed more than 13,000 patents -- 4,500 in India and 8,800 abroad -- at a cost of ₹50 crore [about $7.7 million] over the last three years. Across years, that's a lot of taxpayers' money, which in turn means that the closing of CSIR-Tech is a tacit admission that its work has been an expensive mistake -- a mistake that we tax-paying citizens have paid for.

The Hindu explains that obtaining thousands of patents was not to protect innovative work, or even to boost licensing revenues. Instead, many scientists wanted to have a patent or two to their name in order to make their curriculum vitae look more impressive:

Recently, CSIR's Director-General Girish Sahni claimed that most of CSIR’s patents were "bio-data patents", filed solely to enhance the value of a scientist's resume and that the extensive expenditure of public funds spent in filing and maintaining patents was unviable. CSIR claims to have licensed a percentage of its patents, but has so far failed to show any revenue earned from the licences. This compulsive hoarding of patents has come at a huge cost. If CSIR-Tech was privately run, it would have been shut down long ago. Acquiring Intellectual Property Rights (IPR) comes out of our blind adherence to the idea of patenting as an index of innovation.

India's unfortunate experience is interesting because it shows how the erroneous view that patents are proof of innovation has led scientists to file applications for them purely out of vanity, with serious knock-on effects. Not only is there no evidence that the resulting patents were worth obtaining, but India's CSIR-Tech office has been forced to shut down as a direct result of applying for them.

from the let's-celebrate-a-rare-win-for-the-public dept

Back in September last year, Mike wrote about the remarkable court ruling in India that copyright is not inevitable, divine or a natural right. As we have been reporting since 2013, the case in question was brought by three big Western publishers against Delhi University and a photocopy shop over "course packs" -- bound collections of photocopied extracts from books and journals that are sold more cheaply than the sources. Although the High Court of Delhi ruled that photocopying textbooks in this way is fair use, that was not necessarily the end of the story: the publishers might have appealed to India's Supreme Court. But as the Spicy IP site reports, they didn't:

In a stunning development, OUP, CUP and Taylor & Francis just withdrew their copyright law suit filed against Delhi University (and its photocopier, Rameshwari) 5 years ago! They indicated this to the Delhi high court in a short and succinct filing made this morning.

This withdrawal brings to an end one of the most hotly contested IP battles ever, pitting as it did multinational publishers against academics and students.

one that ultimately tested the bounds of copyright law in India. And clarified that while educational photocopying is permissible, there are limits to this as well. And that any copying must comport closely with the intended purpose ("in the course of instruction"). In that sense, publishers have made some gains in at least ensuring that a complete free for all regime is not what is intended by the law. But a circumspect one, where the copying has to fall within the bounds of the educational exception.

Overall, this is a huge victory for educational access and public interest in India. And very welcome in a world that was witnessing a rather one sided ratcheting up of IP norms, at the cost of all else!

That's an important point. So often it seems that copyright only ever gets longer and stronger, with the public always on the losing side. The latest news from India shows that very occasionally, it's the public that wins.